Skip to main content
BreakawayPaul
BreakawayPaul
Inspiring
September 30, 2010
Question

Restricting SQL priviliges in CF Admin

  • September 30, 2010
  • 2 replies
  • 1105 views

I've been thinking lately about ways to better secure my web apps, and noticed on the CF administrator page (under data sources) that if you select a data source, then click the Advanced Settings button, you can restrict what SQL commands are allowed for that data source.

Since all my web apps only read from the database and don't modify data, couldn't I just allow only the SELECT clause? It seems like that would make SQL injection attacks a lot more difficult, or am I missing something?

Of course I would still practice proper coding (using cfqueryparam, etc) but it seems like this would add yet another layer of security.

This topic has been closed for replies.

2 replies

A
Adam Cameron.
Inspiring
October 1, 2010

Well it's a good idea to secure the DB for the reasons you describe, but it should be the job of the DB to handle that, not an application using the DB.  So set up a DB user which has only read access to the relevant resources, and get CF to use that user to connect to the DB.

--

Adam

BreakawayPaul
BreakawayPaulAuthor
Inspiring
October 1, 2010

Adam Cameron. wrote:

Well it's a good idea to secure the DB for the reasons you describe, but it should be the job of the DB to handle that, not an application using the DB.  So set up a DB user which has only read access to the relevant resources, and get CF to use that user to connect to the DB.

I wish.  We're using MS Access for our website database (I know, I know), and as far as I know, there's no good way to do what you suggested.

Were we using a decent db, I'd have already done it.

ilssac
ilssac
Inspiring
October 1, 2010

Which is probably ONE big reason ColdFusion provides a method to do it at the Database Driver level for those poor soles who can't do it properly at the database level.

ilssac
ilssac
Inspiring
September 30, 2010

Yes it could be another layer of security.

But as you indicated, don't let it be a substitute for other best practices, such as <cfqueryparam...>

Those ColdFusion DSN restrictions will only restrict the "STRINGS" of the various SQL commands.  ColdFuison has no way of telling if a string is a command, a comment or part of a data string.  So be careful with that.  It is a bit of a two edged sword.  Hackers may be able to get their commands through the filters by obscuring the command strings.

BreakawayPaul
BreakawayPaulAuthor
Inspiring
September 30, 2010

OK well that's a bit annoying.  Sort of makes me wonder what the purpose of having it is, unless it's maybe just to stop the really unskilled hackers.

Thanks!

J
JR__Bob__Dobbs
Inspiring
September 30, 2010

BreakawayPaul wrote:

OK well that's a bit annoying.  Sort of makes me wonder what the purpose of having it is, unless it's maybe just to stop the really unskilled hackers.

Thanks!

A single feature cannot realistically solve all security challenges.  The data source configuration options attempt to help you address part of your security problems.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices